CN105052177A - Wireless network system, terminal management device, wireless relay device, and communications method - Google Patents

Wireless network system, terminal management device, wireless relay device, and communications method Download PDF

Info

Publication number
CN105052177A
CN105052177A CN201480017480.0A CN201480017480A CN105052177A CN 105052177 A CN105052177 A CN 105052177A CN 201480017480 A CN201480017480 A CN 201480017480A CN 105052177 A CN105052177 A CN 105052177A
Authority
CN
China
Prior art keywords
wireless terminal
terminal
network system
radio network
relay apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201480017480.0A
Other languages
Chinese (zh)
Other versions
CN105052177B (en
Inventor
浅野贵裕
木村俊洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yamaha Corp
Original Assignee
Yamaha Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yamaha Corp filed Critical Yamaha Corp
Publication of CN105052177A publication Critical patent/CN105052177A/en
Application granted granted Critical
Publication of CN105052177B publication Critical patent/CN105052177B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W16/00Network planning, e.g. coverage or traffic planning tools; Network deployment, e.g. resource partitioning or cells structures
    • H04W16/24Cell structures
    • H04W16/26Cell enhancers or enhancement, e.g. for tunnels, building shadow
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided is a technology whereby only wireless terminals that meet a security policy are connected to a company internal network, without resulting in large cost increases. A wireless network system configuring a company internal network and including wireless access point devices that connect wireless terminals to which prescribed connection information is set, and having provided therein a terminal management device having: a determination means that communicates with wireless terminals via a communications network different from the wireless network system, and determines whether or not the wireless terminals meet a predetermined security policy; and a connection information transmission means that sends the connection information to wireless terminals determined by the determination means to have met the security policy.

Description

Radio Network System, terminal management apparatus, relay apparatus and communication means
Technical field
The present invention relates to a kind of technology for only allowing the terminal meeting predetermined security strategy (such as, not having security breaches) to be connected to Radio Network System.
Background technology
Intelligent apparatus (such as, smart phone or tablet terminal) is popularized rapidly.The intelligent apparatus of these types and traditional personal digital assistant (PDA) or traditional notebook computer different, and there is multiple different function, such as application program n-back test, communication function and imaging function.Therefore, this type of intelligent apparatus is generally used for individual's use and the work for user, and brings popularizing from carrying device (BYOD) along with the universal of intelligent apparatus.Particularly, when the company's internal network provided in the corporate premises in user job place comprises WLAN (LAN), the intelligent apparatus that user holds is connected to company's internal network by described WLAN, and uses in the work of user.
In BYOD, in order to avoid poisoning intrusion company's internal network or disclose secrets to, the terminal installation meeting predetermined security strategy is usually only allowed to be connected to company's internal network.Usually, intelligent apparatus is connected to company's internal network by the WLAN be included in company's internal network.Therefore, quarantine (quarantine) system needing one to correspond to Radio Network System (such as WLAN) realizes the BYOD for intelligent apparatus.Quarantine system is for checking whether the terminal installation attempting to be connected to company's internal network meets the system of predetermined security strategy.The prior art relevant with this type of quarantine system comprises patent documentation 1 or the technology disclosed in non-patent literature 1.
In patent documentation 1, describe following situation: utilize VLAN (VLAN) to carry out logical division to company's internal network, and each in described VLAN serves as the role of " quarantine VLAN ".According to the technology disclosed in patent documentation 1, when terminal installation is connected to company's internal network, first described terminal installation is connected to quarantine VLAN, and whether security strategy inspection is met to described terminal installation, when described terminal installation meets security strategy, this terminal installation is connected to the VLAN for working, thus realizes the quarantine to personal terminal.Simultaneously, non-patent literature 1 discloses a kind of technology, its by install in the terminal in real time monitoring connection destination special-purpose software, be that company's internal network or another network (such as general common wire) identify and such as switch (such as according to recognition result to the communications setting of described terminal to connection destination, prevent from conducting interviews to the network of company outside during being connected to company's internal network), prevent from disclosing secrets to information.
Reference listing
Patent documentation
Patent documentation 1:JP-A-2006-331128
Non-patent literature
Non-patent literature 1:KeizoHIKAWA, " MDMtoSwitchWorkandPrivateModeaccordingtoDestinationNetwo rk; BasicAnnounced ", [online], on September 10th, 2012, NikkeiBP, on March 21st, 2013 is retrieved, and Internet<URLhttp: //itpro.nikkeibp.co.jp/article/NEWS/20120910/421722/GreatT .GreaT.GT
Summary of the invention
Technical problem
Such problem is there is: because company's internal network must be divided into multiple VLAN, so this system is comparatively complicated, and increase to some extent for the cost of initial setting up or operation in the technology disclosed in patent documentation 1.On the other hand, in the technology disclosed in non-patent literature 1, there is such problem: due to until just switch the setting of terminal when terminal is connected to company's internal network, duplicity therefore can be utilized to arrange to perform the connection with company's internal network.
Make the present invention in view of the above problems, its object is to provide a kind of technology, it is connected to company's internal network for only allowing the wireless terminal meeting security strategy, and can not cause the remarkable increase of cost.
The problem of technical solution
In order to solve described problem, according to an aspect of the present invention, a kind of Radio Network System comprising relay apparatus and terminal management apparatus is provided, wherein said terminal management apparatus comprises: detection unit, it is configured to pass the communication network being different from described Radio Network System and communicates with wireless terminal, and judges whether described wireless terminal meets predetermined security strategy; And link information sending part, it is configured to link information is sent to the wireless terminal being judged to meet described security strategy by described detection unit.
Whether aspect according to the present invention, meet security strategy by terminal management apparatus to wireless terminal and judge, and only have when described wireless terminal meets described security strategy, just link information is sent to described terminal from terminal management apparatus.In this case, by being different from the communication network of described Radio Network System to send link information.Here, when there is not any link information, wireless terminal cannot be connected to relay apparatus (particularly, wireless access point apparatus), thus reliably can prevent the connection of the wireless terminal not meeting security strategy.In addition, without the need to being provided for, aspect according to the present invention, judges whether described wireless terminal meets the quarantine VLAN of security strategy, thus does not cause cost to increase.Therefore, when utilizing Radio Network System of the present invention as when receiving the Radio Network System of wireless terminal to build company's internal network, such situation can be realized: only have the wireless terminal meeting security strategy to be connected to company's internal network, and do not cause the remarkable increase of cost.
Consider in described: described Radio Network System also comprises checkout gear, it detects the service area that described wireless terminal enters described Radio Network System, in described Radio Network System, described terminal management apparatus utilizes described detection unit to perform the judgement about described security strategy for the wireless terminal detected by described checkout gear.
According to described aspect, the service area of described Radio Network System can be entered and the quarantine performed immediately before attempting to be connected to described Radio Network System described wireless terminal at wireless terminal, and compared with situation about periodically performing the quarantine of wireless terminal, the battery consumption of wireless terminal can be suppressed.
In in described, can consider that relay apparatus plays the aspect of the effect of checkout gear.Such as, when described relay apparatus is wireless access point apparatus, make described relay apparatus (wireless access point apparatus) in response to the reception of the probe requests thereby produced wireless terminal, the service area described wireless terminal being entered to relay apparatus detects.According to described aspect, with compared with playing the aspect of the effect of checkout gear with the transducer that described relay apparatus provides discretely, owing to there is not transducer, therefore cost can be suppressed at reduced levels.
As another aspect, following aspect can be considered: described terminal management apparatus is periodically performed and carries out communicating with the wireless terminal being connected to described relay apparatus by relay apparatus and utilize described detection unit to perform the process judged; And make described terminal management apparatus perform the process of deleting link information in response to the judgement not meeting security strategy of identifying unit from described wireless terminal.According to described aspect, can avoid producing security breaches, such as, after being connected to described relay apparatus, changing the setting of wireless terminal.
In order to solve described problem, according to a further aspect in the invention, a kind of terminal management apparatus is provided, it comprises: detection unit, it is configured to pass the communication network being different from the Radio Network System comprising relay apparatus and communicates with wireless terminal, and judges whether described wireless terminal meets predetermined security strategy; And link information sending part, it is configured to the link information being used for connecting described relay apparatus to be sent to the wireless terminal being judged to meet described security strategy by described detection unit.
In order to solve described problem, according to another aspect of the invention, a kind of relay apparatus be included in Radio Network System is provided, described relay apparatus comprises: terminal notification portion, it is configured to: when the intensity of radio wave of the request message from wireless terminal reception exceedes predetermined threshold and the terminal identifier of described wireless terminal is registered in advance, the terminal identifier of described wireless terminal is notified higher-level device; And update section, it is configured to, according to the instruction from described higher-level device, upgrade the filter limited each wireless terminal of communication party.
In order to solve described problem, according to another aspect of the invention, there is provided a kind of communication means, it comprises: communicated with wireless terminal by the communication network being different from the Radio Network System comprising relay apparatus, and judges whether described wireless terminal meets predetermined security strategy; And the link information being used for connecting described relay apparatus is sent to the wireless terminal being judged as and meeting described security strategy.
In order to solve described problem, according to another aspect of the invention, a kind of communication means of the relay apparatus be included in Radio Network System is provided, described communication means comprises: when the intensity of radio wave of the request message from wireless terminal reception exceedes predetermined threshold and the terminal identifier of described wireless terminal is registered in advance, the terminal identifier of described wireless terminal is notified higher-level device; And according to the instruction from described higher-level device, upgrade the filter that the wireless terminal communicated by described relay apparatus is limited.
In addition, when described relay apparatus is wireless access point apparatus, the concrete example of terminal identifier can comprise MAC Address, and the example of described filter can be mac address filter.
In addition, described relay apparatus also can comprise Department of Communication Force, it is configured to pass the wireless terminal that the communication network being different from described Radio Network System is connected to the link information obtained for connecting described relay apparatus, and uses described Radio Network System to perform the communication with described wireless terminal.
Such as, by comprising the wireless access point apparatus and terminal management apparatus that play relay apparatus effect being included in the Radio Network System in company's internal network, such situation can be realized: only have the wireless terminal meeting security strategy to be connected to company's internal network by described Radio Network System, and do not cause the remarkable increase of cost.
Accompanying drawing explanation
Fig. 1 is the block diagram of the configuration example of the Radio Network System 1 that one embodiment of the present of invention are shown.
Fig. 2 is the diagram of the configuration example that the wireless access point apparatus 10 be included in Radio Network System 1 is shown.
Fig. 3 is the diagram of the configuration example that the terminal management apparatus 50 be included in Radio Network System 1 is shown.
Fig. 4 is the diagram of the communication sequence illustrated in this embodiment.
Fig. 5 is the diagram of the described communication sequence illustrated in this embodiment.
Embodiment
Below, with reference to the accompanying drawings various embodiments of the present invention are described.
(A: configuration)
Fig. 1 is the block diagram of the configuration example of the communication system that the Radio Network System 1 including the embodiment of the present invention is shown.Radio Network System 1 is the WLAN such as provided in corporate premises, and in company, forms company's internal network together with the wired lan provided in corporate premises (Fig. 1 is not shown).As shown in Figure 1, Radio Network System 1 comprise wireless access point apparatus 10-n (n=1 to N:N be more than or equal to 2 integer), switch 20, AP controller 30, router four 0 and terminal management apparatus 50.In addition, when without the need to distinguishing each wireless access point apparatus 10-n (n=1 to N), described wireless access point apparatus is hereinafter referred to as " wireless access point apparatus 10 ".
Utilize the holding wire of such as LAN cable that each in wireless access point apparatus 10 and AP controller 30 are connected to switch 20.Each wireless access point apparatus 10-n (n=1 to N) carries out the device that is connected for the agreement that defines according to IEEE802.11 etc. and wireless terminal (such as intelligent terminal).In the present embodiment, each wireless access point apparatus 10-n is arranged in everywhere in corporate premises, thus make to provide the inside of the corporate premises of Radio Network System 1 by such region (hereinafter, the service area of wireless access point apparatus) covered, the radio communication ripple can launched to each access point network device with enough strength reception in this region.
Fig. 2 is the diagram of the configuration example that wireless access point apparatus 10 is shown.Wireless access point apparatus 10 comprises control unit 110, radio communication I/F unit 120, memory cell 130 and the data exchanged between these assemblies is carried out to the bus 140 of relaying, as shown in Figure 2.Control unit 110 is CPU (CPU).Control unit 110 serves as the control centre of wireless access point apparatus 10 by performing the program stored in memory cell 130 (more accurately, non-volatile memory cells 134).Radio communication I/F unit 120 comprises such as antenna, modulation circuit and demodulator circuit (all not shown).Radio communication I/F unit is modulated the data received from control unit 110, by described data investigation on carrier wave, and described carrier wave is sent to radio section.Meanwhile, radio communication I/F unit carries out demodulation to the data be added to from the carrier wave that radio interval receives, and provides described data to control unit 110.
Memory cell 130 comprises volatile memory cell 132 and non-volatile memory cells 134.Volatile memory cell 132 is such as random access memory (RAM).When control unit 110 performs various program, volatile memory cell 132 is used as working region.Non-volatile memory cells 134 is such as Electrically Erasable Read Only Memory (EEPROM).The data that control unit 110 is performed the process significantly showing the present embodiment feature and program are stored in non-volatile memory cells 134.
The example being stored in the data in non-volatile memory cells 134 can comprise the MAC Address list of the data array as the MAC Address being expressed as follows wireless terminal, all wireless terminals that described wireless terminal uses in business for the application in the middle of each wireless terminal of personal belongings of holding as company personnel.In addition, the example being stored in the program in non-volatile memory cells 134 can comprise the radio communication program making control unit 110 perform following terminal notification process: in response to the reception of the probe requests thereby produced wireless terminal, detect that the transmission source of probe requests thereby enters the service area of WAP (wireless access point), and when described wireless terminal is the wireless terminal of pre-first to file use, the MAC Address of described wireless terminal is notified to high level device (in the present embodiment, AP controller 30).In addition, similar with the situation in typical wireless access point device, also perform according to the control unit 110 that described radio communication program carries out operating process mac address filter upgraded according to the instruction from AP controller 30.
Probe requests thereby refers to and is sent to nearest wireless access point apparatus to ask the communication information of radio network identifier (such as ESSID) by wireless terminal.The wireless access point apparatus 10 of the present embodiment is set to: the periodic broadcasting not performing described network identifier, and does not receive probe requests thereby and perform the broadcast of network identifier etc.This non-authentication being intended to prevent network identifier from revealing and causing to third party etc. accesses.
AP controller 30 be to the network identifier being assigned to wireless access point apparatus 10-n (n=1 to N), Radio Network System 10-n the setting of mac address filter in used frequency (channel) or each Radio Network System 10-n device of managing concentratedly.AP controller 30 has such function: for each wireless access point apparatus 10-n, and the terminal identifier that storage is connected in the wireless terminal of wireless access point apparatus 10-n is (for the information of identified wireless terminal; In the present embodiment, be MAC Address), and the movement of wireless terminal between wireless access point apparatus (so-called transfer) is detected.
Switch 20 is connected to router four 0, and terminal management apparatus 50 is connected to this router four 0.In addition, the wired lan forming company's internal network together with Radio Network System 1 can be connected to switch 20, or can be connected to router four 0.Router four 0 is connected to the Internet 2, as shown in Figure 1.Also namely, Radio Network System 1 is connected to the Internet 2 by router four 0.In addition, the mobile network 3 in accordance with communication standard (such as 3G or Long Term Evolution (LTE)) is connected to the Internet 2.
Wireless terminal 60 is intelligent apparatus that company personnel holds.Wireless terminal 60 has the function that utilizes the base station (not shown) of mobile network 3 to set up wireless communication link and perform data communication (hereinafter, first radio communication function) and be connected to wireless access point apparatus 10-n (n=1 to N) and perform the function (hereinafter, the second radio communication function) of data communication.In these two kinds of radio communication functions, can according to the instruction of user, the second radio communication function is switched opening (ON) and close between (OFF).When second communication function is switched to ON by user's instruction, wireless terminal 60 sends above-mentioned probe requests thereby.In addition, will be used for representing that the information of the host name being assigned to terminal management apparatus 50 is stored in advance in wireless terminal 60.Wireless terminal 60 carrys out the mailing address (IP address) of designated terminal management devices 50 based on described host name, and utilizes above-mentioned first radio communication function to perform data communication by mobile network 3 and the Internet 2 with radio management device 50.
Terminal management apparatus 50 is so-called mobile device management (MDM) server.Fig. 3 is the diagram of the configuration example that terminal management apparatus 50 is shown.Terminal management apparatus 50 comprises control unit 510, communication I/F unit 520, memory cell 530 and the data exchanged between these assemblies is carried out to the bus 540 of relaying, as shown in Figure 3.Terminal management apparatus 50 makes such as external device (ED) I/F unit and makes an operation manager perform the user I/F unit of multiple different operation or other devices except said modules connect, but described external device (ED) I/F unit is not illustrated and described, because it is less with associating of the present embodiment feature.
Similar with the control unit 110 in wireless access point apparatus 10, control unit 510 is CPU, and serves as the control centre of terminal management apparatus 50 by performing the program stored in memory cell 530 (more accurately, non-volatile memory cells 534).Radio communication I/F unit 520 is such as NIC, and is connected to router four 0 by the holding wire of such as LAN cable.Communication I/F unit 520 is provided to control unit 510 by via described holding wire from the data that router four 0 receives, and is sent the data received from control unit 510 by described holding wire.
Memory cell 530 comprises volatile memory cell 532 and non-volatile memory cells 534.Volatile memory cell 532 is such as RAM.When control unit 510 performs various program, volatile memory cell 532 is used as working region.Non-volatile memory cells 534 is such as hard disk.Control unit 510 is made to perform the data of the process significantly showing the present embodiment feature and program is stored in non-volatile memory cells 534.
The example of the data stored in non-volatile memory cells 534 can comprise the data (hereinafter, policy data) of the security strategy in expression company.The concrete example of policy data can comprise: for representing operating system (OS) in the terminal installation that will be arranged on and be connected with Radio Network System 1 and the type of application software or the data of version, and for representing the data that should not be arranged on the application software in described terminal installation.Policy data (also, when performing the quarantine of wireless terminal) when whether meeting security strategy to the wireless terminal as probe requests thereby transmission source and judging uses, and this point will be discussed in more detail below.In addition, wireless terminal is connected to link information needed for wireless access point apparatus 10 (such as, Radio Network System 1 network identifier, represent and wireless access point apparatus 10 carry out radio communication use the information of encryption method and the information for representing the safe key in encryption) be also stored in advance in (Fig. 3 is not shown) in non-volatile memory cells 534.
The example being stored in the program in non-volatile memory cells 534 can comprise quarantine program, and it makes control unit 510 perform the quarantining treatment significantly showing the present embodiment feature.Although illustrate details for avoiding repeated description in operation example, but the effect of detection unit is played according to the control unit 510 that described quarantine program carries out operating, described detection unit is communicated with the wireless terminal represented by described MAC Address with mobile network 3 by the Internet 2 in response to the notice of the MAC Address from AP controller 30, obtain the state information (representing the OS and the type of application software or the data of version that install) representing SOT state of termination, and to whether the security strategy met represented by policy data judges.In addition, the control unit 510 carrying out operating according to described quarantine program plays the effect of link information sending part, link information is sent to by the Internet 2 and mobile network 3 wireless terminal being judged as and meeting described security strategy by described link information sending part, and link information is stored.
It is more than the configuration of Radio Network System 1.
(B: operation)
Next, by according to until the user of wireless terminal 60 goes to work to office, to work and the operation of flow process to the present embodiment leaving office is described.
When user performs operation radio communication function being switched to ON, wireless terminal 60 sends above-mentioned probe requests thereby (see Fig. 4).The control unit 110 of wireless access point apparatus 10 detects the service area that wireless terminal 60 enters wireless access point apparatus in response to the reception to the probe requests thereby sent from wireless terminal 60.As shown in Figure 4, first whether control unit 110 meet predetermined condition A to probe requests thereby, radio intensity of wave exceedes the condition of predetermined threshold, and transmission source is the condition of the wireless terminal that pre-first to file uses) carry out judging (step SA110).Particularly, when the MAC Address of the transmission source of probe requests thereby is registered in MAC Address list in advance, control unit 110 judges the first to file use in advance of described wireless terminal.In addition, when the result of determination in step SA110 is "Yes", control unit 110 sends a frame (hereinafter, MAC Address notification frame) (step SA120) to AP controller 30, in the frame the transmission source of probe requests thereby is written with pay(useful) load part.
Therefore, received the MAC Address notification frame sent from wireless access point apparatus 10 by the relaying of switch 20 by AP controller 30.MAC Address (see Fig. 4) during AP controller 30 notifies to terminal management apparatus 50 the MAC Address notification frame that write receives by switch 20 and router four 0.The control unit 510 of terminal management apparatus 50 starts to perform quarantining treatment (step SA200) in response to the notice of described MAC Address.
Fig. 5 is the sequence flow figure of the communication process illustrated in quarantining treatment.As shown in Figure 5, the control unit 510 of terminal management apparatus 50 utilizes the device represented by MAC Address notified by AP controller 30 (in this operation example, wireless terminal 60) establish a communications link via the Internet 2 and mobile network 3 as cooperative devices (partnerdevice), and obtain state information.Subsequently, whether control unit 510 meets predetermined security strategy (security strategy also namely, represented by policy data) to the state represented by the state information obtained from wireless terminal 60 and carries out judging (step SA210).
In addition, when only having the state when wireless terminal 60 to meet security strategy (when the result of determination in step SA210 is "Yes"), control unit 510 is just sent to wireless terminal 60 by setting up link information required when radio communication is connected with wireless access point apparatus 10 via the Internet 2 and mobile network 3, and stores (step SA220) described information.In addition, control unit 510 notifies the MAC Address (Fig. 5 is not shown) of wireless terminal 60 to AP controller 30.When AP controller 30 receives MAC Address from terminal management apparatus 50, AP controller 30 provides the renewal instruction for upgrading mac address filter to each wireless access point apparatus 10-n (n=1 to N), to allow the terminal represented by described MAC Address to be connected to Radio Network System 1.Each wireless access point apparatus 10-n (n=1 to N) upgrades mac address filter according to described renewal instruction.
Wireless terminal 60 utilizes the link information received from terminal management apparatus 50 to be connected to nearest wireless access point apparatus 10.As mentioned above, in wireless access point apparatus 10, perform the setting of mac address filter to allow the connection of wireless terminal 60.Therefore, wireless terminal 60 is connected to Radio Network System 1 by nearest wireless access point apparatus 10.On the other hand, when the state of wireless terminal 60 does not meet security strategy, link information is not sent from terminal management apparatus 50 to wireless terminal 60.In addition, do not notify the MAC Address of wireless terminal 60 from terminal management apparatus 50 to AP controller 30, and do not perform the renewal in order to allow the connection of wireless terminal 60 to carry out the mac address filter of wireless access point apparatus 10.Therefore, wireless terminal 60 is not connected to Radio Network System 1.Therefore, only have when wireless terminal 60 meets predetermined security strategy, wireless terminal 60 is just connected to Radio Network System 1, thus can reliably prevent the terminal not meeting security strategy to be connected to company's internal network by Radio Network System 1.Even if when wireless terminal 60 does not meet security strategy and is not connected to Radio Network System 1, wireless terminal 60 can certainly be connected to the Radio Network System different from Radio Network System 1 (such as, and unambiguously can visit the Internet 2 by other such cordless communication networks or mobile network 3 WI-FI).
When wireless terminal 60 is connected to Radio Network System 1 in the above described manner, the control unit 510 of terminal management apparatus 50 periodically obtains state information by router four 0, switch 20 and wireless access point apparatus 10 from wireless terminal 60, and confirms that described state information meets security strategy.In addition, when the state of wireless terminal 60 does not meet security strategy, control unit 510 deletes the link information of Radio Network System 1 from wireless terminal 60, notify the MAC Address of wireless terminal 60 to AP controller 30, and again the mac address filter of wireless access point apparatus 10 is upgraded to be got rid of from linking objective by wireless terminal 60.This is because, from guaranteeing safe angle, proceed to connect to the wireless terminal not meeting security strategy and inadvisable, and be intended to Preventing spoofing (such as, changing the setting of wireless terminal 60 after the connection completing wireless access point apparatus).
When the outside that user such as leaves office, wireless terminal 60 moves to wireless access point apparatus 10 of wireless terminal 60 and when connecting disconnection, wireless access point apparatus 10 notifies the MAC Address of wireless terminal 60 to AP controller 30, to inquire about whether there is transfer.Whether AP controller 30 pairs of wireless terminals 60 are handed over to another wireless access point apparatus 10 confirms.When not transferring wireless terminal 60, AP controller 30 notifies the MAC Address of wireless terminal 60 to terminal management apparatus 50.The control unit 510 of terminal management apparatus 50 is communicated with the wireless terminal represented by described MAC Address with mobile network 3 by the Internet 2, and deletes the link information stored in wireless terminal.This is to prevent the link information of distributing under the condition meeting security strategy from being used by duplicity.
It should be noted that the quarantine VLAN whether meeting predetermined security strategy without the need to being provided for separately judgement wireless terminal 60, and there is no the growth occurring the cost being used for initial setting up or operation.Therefore, according to the present embodiment, such situation can be realized: only have the terminal meeting security strategy to be connected to company's internal network, and do not cause significant cost to increase.Although in the above-described embodiments, the company's internal network described as the containment objective of safety policy comprises the situation of Radio Network System 1 and wired lan, should be appreciated that described company's internal network only comprises Radio Network System 1.
(C: amendment)
Although be described above embodiments of the invention, should be appreciated that the present embodiment can be revised as follows.
(1) in the above-described embodiments, enter in response to wireless terminal 60 corporate premises that provides Radio Network System 1 and perform and whether the judgement that security strategy carries out is met to wireless terminal 60, and when wireless terminal 60 meets security strategy, required link information during connection wireless access point apparatus 10 is supplied to wireless terminal 60 from terminal management apparatus 50 by the Internet 2 and wireless network 3.But, before wireless terminal 60 enters corporate premises (in other words, before wireless access point apparatus 10 detects wireless terminal 60), link information can be provided to wireless terminal 60.But, in this case, there is following shortcoming: in order to determine that wireless terminal 60 meets predetermined security strategy, frequently must perform and communicate to confirm that wireless terminal 60 meets predetermined security strategy via the Internet 2 and mobile network 3 between wireless terminal 60 and terminal management apparatus 50, and this when meeting state continuance, the battery consumption of wireless terminal 60 increases.Therefore, preferably, entered the corporate premises that provides Radio Network System 1 in response to wireless terminal 60 and whether security strategy has been met to wireless terminal 60 and judged, as in embodiment above.
(2) in the above-described embodiments, for the wireless access point apparatus 10 included in by wireless terminal in Radio Network System 1, there is the effect to the transducer that the wireless terminal 60 entering the corporate premises providing Radio Network System 1 detects.But, be to be understood that, the transducer that the wireless terminal 60 entering the corporate premises providing Radio Network System 1 is detected can also be provided, although there is the shortcoming needing extras fund with embodiment above unlike this independent of wireless access point apparatus 10.
(3) although Radio Network System 1 comprises AP controller 30 as separator and terminal management apparatus 50 in the above-described embodiments, should be appreciated that communication system can comprise AP controller 30 and the terminal management apparatus 50 of device as a whole.In this case, the device with AP controller 30 and these two kinds of functions of terminal management apparatus 50 becomes the higher-level device relative to wireless access point apparatus 10.Although in embodiment above, wireless access point apparatus is made to perform the judgement of wireless terminal whether in advance first to file use, but AP controller 30 can be made to perform described judgement, and wireless access point apparatus can be made only to perform the judgement whether intensity of radio wave of the probe requests thereby received being exceeded to predetermined threshold.
In addition, in the above-described embodiments, wireless access point apparatus 10 is performed: for the terminal notification process to higher-level device notice MAC Address, and when from wireless terminal reception to the intensity of radio wave of probe requests thereby exceed predetermined threshold and the MAC Address of described wireless terminal (also namely, the terminal identifier of wireless terminal) has carried out the process that upgrades mac address filter in response to the instruction from described device when registering in advance.But, switch 20 or router four 0 can be made to perform in above-mentioned process each.Such as, when making router four 0 perform each process, terminal notification unit and update section can be provided in router four 0, described terminal notification unit performs following process: obtain from wireless terminal (such as from wireless access point apparatus in response to the reception of request message, for asking to set up the SYN message with the communication connection of cooperative devices) intensity of radio wave of request message that sends, and when intensity of radio wave exceed predetermined threshold and the terminal identifier of wireless terminal (such as, the IP address of the transmission source of request message) notify described terminal identifier to higher-level device (terminal management apparatus 50) when having carried out registration in advance, described update section is for performing the process carrying out the filter (such as, relevant with IP address filter) for limiting the wireless terminal communicated via router according to the instruction from higher-level device upgrading.In addition, router four 0 can be the wireless router of the function with wireless access point apparatus, and switch 20 can be the switch of the function with wireless access point apparatus.In brief, such aspect can be adopted: can at the relay apparatus (wireless access point apparatus for carrying out relaying to the communication between wireless terminal and communication party, wireless exchange board, or wireless router) in terminal notification portion and update section are provided, described terminal notification portion is used for exceeding predetermined threshold at the intensity of radio wave of the request message from wireless terminal reception, and when the terminal identifier of wireless terminal is registered in advance, to the terminal identifier of higher-level device notice wireless terminal, described update section is used for according to the instruction from higher-level device and upgrades the filter for limiting the wireless terminal communicated via relay apparatus.
(4) although in the above-described embodiments, Radio Network System 1 comprises wireless access point apparatus 10 as separator and terminal management apparatus 50, but described communication system can comprise wireless access point apparatus 10 and the terminal management apparatus 50 of device as a whole.Also namely, without the need to terminal management apparatus 50 being prepared as the hardware of the separation for office terminal, and terminal management apparatus 50 can be set to the software in such as any device.
(5) in the above-described embodiments, the program making terminal management apparatus 50 realize the distinctive function of terminal management apparatus of the present invention is stored in the non-volatile memory cells 534 of terminal management apparatus 50.But, described program can be write computer readable recording medium storing program for performing (such as CD-ROM) and can distribute it.In addition, by carrying out download to distribute described program via electronic communication line (such as the Internet).This is owing to operating all-purpose computer according to the computer program in this way distributed, thus makes described computer serve as the terminal management apparatus of above-described embodiment.This mode is applied to the radio communication program be stored in the non-volatile memory cells 134 of wireless access point apparatus 10 equally.
(6) in the above-described embodiments, Radio Network System 1 (communicating with wireless access point apparatus 10) can be connected to make wireless terminal 60, terminal management apparatus 50 performs the judgement of the security strategy about wireless terminal 60 by the Internet 2 and mobile network 3, then when wireless terminal 60 meets security strategy, via the Internet 2 and mobile network 3 to wireless terminal 60 provide be connected with wireless access point apparatus 10 time required link information.But when being connected with wireless access point apparatus 10 for the judgement or send performed about security strategy, the communication of required link information is not limited to via the Internet 2 and mobile network 3, and can via another Department of Communication Force.Such as, infrared ray, bluetooth (registered trade mark) or near-field communication (NFC) can be used.
The present invention is based on the Japanese patent application No.2013-059464 submitted on March 22nd, 2013, the full content of this application is incorporated herein by reference.
Commercial Application
According to the present invention, only have the wireless terminal meeting security strategy to be connected to company's internal network, and do not cause the remarkable increase of cost.
Reference numerals list
1: Radio Network System
2: the Internet
3: mobile network
10-n (n=1 to N) and 10: wireless access point apparatus
20: switch
30:AP controller
40: router
50: terminal management apparatus
60: wireless terminal
110 and 510: control unit
Unit 120: radio communication I/F
Unit 520: communication I/F
130 and 530: memory cell
132 and 532: volatile memory cell
134 and 534: non-volatile memory cells
540: bus

Claims (10)

1. comprise a Radio Network System for relay apparatus and terminal management apparatus, wherein said terminal management apparatus comprises:
Detection unit, it is configured to pass the communication network being different from described Radio Network System and communicates with wireless terminal, and judges whether described wireless terminal meets predetermined security strategy; And
Link information sending part, it is configured to the link information being used for connecting described relay apparatus to be sent to the wireless terminal being judged to meet described security strategy by described detection unit.
2. Radio Network System according to claim 1, wherein said link information sending part sends described link information by the described communication network being different from described Radio Network System.
3. Radio Network System according to claim 1, also comprises:
Checkout gear, it detects the service area that described wireless terminal enters described Radio Network System,
Wherein said Terminal Service device utilizes described detection unit for being detected that by described checkout gear the wireless terminal entering described Radio Network System service area performs the judgement about described security strategy.
4. Radio Network System according to claim 3, wherein said relay apparatus plays the effect of described checkout gear.
5. a terminal management apparatus, comprising:
Detection unit, it is configured to pass the communication network being different from the Radio Network System comprising relay apparatus and communicates with wireless terminal, and judges whether described wireless terminal meets predetermined security strategy; And
Link information sending part, it is configured to the link information being used for connecting described relay apparatus to be sent to the wireless terminal being judged to meet described security strategy by described detection unit.
6. be included in the relay apparatus in Radio Network System, described relay apparatus comprises:
Terminal notification portion, it is configured to: when the intensity of radio wave of the request message from wireless terminal reception exceedes predetermined threshold and the terminal identifier of described wireless terminal is registered in advance, the terminal identifier of described wireless terminal is notified higher-level device; And
Update section, it is configured to, according to the instruction from described higher-level device, upgrade the filter limited each wireless terminal communicated by described relay apparatus.
7. relay apparatus according to claim 6, wherein said request message is probe requests thereby, and described terminal identifier is MAC Address, and described filter is mac address filter.
8. relay apparatus according to claim 6, also comprises:
Department of Communication Force, it is configured to pass the wireless terminal that the communication network being different from described Radio Network System is connected to the link information obtained for connecting described relay apparatus, and uses described Radio Network System to perform the communication with described wireless terminal.
9. a communication means, comprising:
Communicated with wireless terminal by the communication network being different from the Radio Network System comprising relay apparatus, and judge whether described wireless terminal meets predetermined security strategy; And
The link information being used for connecting described relay apparatus is sent to the wireless terminal being judged as and meeting described security strategy.
10., for being included in a communication means for the relay apparatus in Radio Network System, described communication means comprises:
When the intensity of radio wave of the request message from wireless terminal reception exceedes predetermined threshold and the terminal identifier of described wireless terminal is registered in advance, the terminal identifier of described wireless terminal is notified higher-level device; And
According to the instruction from described higher-level device, upgrade the filter that the wireless terminal communicated by described relay apparatus is limited.
CN201480017480.0A 2013-03-22 2014-03-17 Radio Network System, terminal management apparatus, relay apparatus and communication means Active CN105052177B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2013-059464 2013-03-22
JP2013059464A JP6163808B2 (en) 2013-03-22 2013-03-22 Wireless network system, terminal management device, and wireless relay device
PCT/JP2014/057206 WO2014148448A1 (en) 2013-03-22 2014-03-17 Wireless network system, terminal management device, wireless relay device, and communications method

Publications (2)

Publication Number Publication Date
CN105052177A true CN105052177A (en) 2015-11-11
CN105052177B CN105052177B (en) 2018-11-30

Family

ID=51580127

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480017480.0A Active CN105052177B (en) 2013-03-22 2014-03-17 Radio Network System, terminal management apparatus, relay apparatus and communication means

Country Status (4)

Country Link
US (1) US10575177B2 (en)
JP (1) JP6163808B2 (en)
CN (1) CN105052177B (en)
WO (1) WO2014148448A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196837A (en) * 2017-06-16 2017-09-22 四川省农业科学院服务中心 A kind of method that the multiple data service co-existence network used is divided based on VLAN

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6550913B2 (en) 2015-05-13 2019-07-31 富士通株式会社 Communications system
DE102015222308A1 (en) * 2015-11-12 2017-05-18 Volkswagen Aktiengesellschaft Apparatus, method and computer program for frequency band selection
JP6822180B2 (en) * 2017-02-02 2021-01-27 セイコーエプソン株式会社 Printing device, control method of printing device, and communication system
US10701707B2 (en) * 2017-03-28 2020-06-30 Arris Enterprises Llc Allocation of wireless channels for preferred stations
CN111031545A (en) * 2019-12-24 2020-04-17 Oppo广东移动通信有限公司 Wireless network access control method and device, relay equipment and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153122A1 (en) * 2005-01-13 2006-07-13 Hinman Brian L Controlling wireless access to a network
US20070206527A1 (en) * 2006-03-01 2007-09-06 Yuan-Chang Lo Virtual access point for configuration of a LAN
CN101051891A (en) * 2007-05-22 2007-10-10 网御神州科技(北京)有限公司 Method and device for safety strategy uniformly treatment in safety gateway

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5737691A (en) * 1995-07-14 1998-04-07 Motorola, Inc. System and method for allocating frequency channels in a two-way messaging network
US6957067B1 (en) * 2002-09-24 2005-10-18 Aruba Networks System and method for monitoring and enforcing policy within a wireless network
US7448067B2 (en) * 2002-09-30 2008-11-04 Intel Corporation Method and apparatus for enforcing network security policies
US7440573B2 (en) * 2002-10-08 2008-10-21 Broadcom Corporation Enterprise wireless local area network switching system
US7277547B1 (en) * 2002-10-23 2007-10-02 Sprint Spectrum L.P. Method for automated security configuration in a wireless network
JP2004310581A (en) 2003-04-09 2004-11-04 Nec Corp Network connecting method, and network system
US20040213172A1 (en) * 2003-04-24 2004-10-28 Myers Robert L. Anti-spoofing system and method
JP2004336538A (en) 2003-05-09 2004-11-25 Ricoh Co Ltd Radio communication system, information processing terminal, and infrared communication device
JP2005086471A (en) * 2003-09-09 2005-03-31 Japan Telecom Co Ltd Communication control method, and terminal equipment
WO2005032042A1 (en) * 2003-09-24 2005-04-07 Infoexpress, Inc. Systems and methods of controlling network access
JP4626741B2 (en) 2003-12-05 2011-02-09 日本電気株式会社 Network connection participation reception system, node connection method to network, and node setting method
US8230480B2 (en) * 2004-04-26 2012-07-24 Avaya Inc. Method and apparatus for network security based on device security status
US20050266826A1 (en) * 2004-06-01 2005-12-01 Nokia Corporation Method for establishing a security association between a wireless access point and a wireless node in a UPnP environment
US20060172736A1 (en) * 2005-02-01 2006-08-03 Intel Corporation Methods and apparatus for operating a wireless electronic device having a plurality of communication platforms
US7706778B2 (en) * 2005-04-05 2010-04-27 Assa Abloy Ab System and method for remotely assigning and revoking access credentials using a near field communication equipped mobile phone
JP2006331128A (en) 2005-05-26 2006-12-07 Allied Telesis Holdings Kk Authentication server, authentication method and authentication program
JP4776283B2 (en) * 2005-06-27 2011-09-21 株式会社ナカヨ通信機 Wireless LAN system and communication method
US7933584B2 (en) * 2005-10-15 2011-04-26 Huawei Technologies Co., Ltd. Method for implementing security update of mobile station and a correlative reacting system
WO2007053848A1 (en) * 2005-11-01 2007-05-10 Mobile Armor, Llc Centralized dynamic security control for a mobile device network
CN101444119A (en) * 2006-03-27 2009-05-27 意大利电信股份公司 System for implementing security police on mobile communication equipment
CA2607823C (en) * 2006-10-26 2014-07-29 Research In Motion Limited Transient wlan connection profiles
CN101262670B (en) * 2007-03-09 2012-01-25 鸿富锦精密工业(深圳)有限公司 Mobile device, communication system and connection establishment method
JP4938520B2 (en) 2007-03-22 2012-05-23 シャープ株式会社 Digital broadcast receiver
JP2008263445A (en) * 2007-04-12 2008-10-30 Docomo Technology Inc Connection setting system, authentication apparatus, wireless terminal and connection setting method
JP5246112B2 (en) * 2009-09-07 2013-07-24 ブラザー工業株式会社 Wireless communication apparatus and computer program
US8620270B2 (en) 2009-10-06 2013-12-31 Mosaid Technologies Incorporated System and method providing interoperability between cellular and other wireless systems
US8925042B2 (en) * 2010-04-30 2014-12-30 T-Mobile Usa, Inc. Connecting devices to an existing secure wireless network
US8699370B2 (en) * 2010-08-24 2014-04-15 Euclid, Inc. Method and apparatus for analysis of user traffic within a predefined area
US8359016B2 (en) * 2010-11-19 2013-01-22 Mobile Iron, Inc. Management of mobile applications
US8937534B2 (en) * 2010-12-08 2015-01-20 At&T Intellectual Property I, L.P. Remote control of electronic devices via mobile device
JP5536628B2 (en) * 2010-12-21 2014-07-02 Kddi株式会社 Wireless LAN connection method, wireless LAN client, and wireless LAN access point
US8909247B2 (en) * 2011-11-08 2014-12-09 At&T Mobility Ii Llc Location based sharing of a network access credential

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153122A1 (en) * 2005-01-13 2006-07-13 Hinman Brian L Controlling wireless access to a network
US20070206527A1 (en) * 2006-03-01 2007-09-06 Yuan-Chang Lo Virtual access point for configuration of a LAN
CN101051891A (en) * 2007-05-22 2007-10-10 网御神州科技(北京)有限公司 Method and device for safety strategy uniformly treatment in safety gateway

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196837A (en) * 2017-06-16 2017-09-22 四川省农业科学院服务中心 A kind of method that the multiple data service co-existence network used is divided based on VLAN
CN107196837B (en) * 2017-06-16 2020-06-16 四川省农业科学院服务中心 Multi-data service comprehensive networking method based on VLAN division application

Also Published As

Publication number Publication date
CN105052177B (en) 2018-11-30
US10575177B2 (en) 2020-02-25
JP2014187453A (en) 2014-10-02
US20160050567A1 (en) 2016-02-18
WO2014148448A1 (en) 2014-09-25
JP6163808B2 (en) 2017-07-19

Similar Documents

Publication Publication Date Title
CN105052177A (en) Wireless network system, terminal management device, wireless relay device, and communications method
CN101690337B (en) Managing dense wireless access point infrastructures in wireless local area networks
KR101453521B1 (en) Wireless access point apparatus and method for detecting unauthorized wireless lan node
CN101577908B (en) User equipment verification method, device identification register and access control system
JP5135339B2 (en) Network selection method
US10243974B2 (en) Detecting deauthentication and disassociation attack in wireless local area networks
EP1589703B1 (en) System and method for accessing a wireless network
US8681703B2 (en) Communication device, wireless communication device, and control method
US8838031B2 (en) Alternative path configuration for peer-to-peer networking
CN101517532B (en) Radio frequency firewall coordination
CN105122896A (en) Access network discovery and selection
US20090119751A1 (en) Communication device
CN103155643A (en) Methods, apparatuses and system for identifying a target femtocell for hand-in of a user equipment
JP2016502788A (en) System and method for using a hidden access point
GB2396782A (en) Apparatus for controlling load balance of multi-access points in a wireless lan system and method thereof
CN102883317A (en) Wireless network system, wireless network relay device, and method of controlling the system
CN105323827A (en) Method for controlling network connection and vehicle-mounted terminal
CN102377774A (en) Network relay device and frame relaying control method
CN105828453A (en) Data transmission method and data transmission device for relay communication
CN112019408A (en) Method and apparatus for installing nodes in home network
CN112637929B (en) Equipment access control method, device and medium based on 5G network intelligent gateway
CN111770094B (en) Access control method of wireless network and related device
US20090037979A1 (en) Method and System for Recovering Authentication in a Network
EP2595433B1 (en) Method and system for network-centric discovering of points of attachement to the network for mobile devices within networks having plural access points
CN103458499A (en) Off-line processing method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant